How much at risk is the U.S.'s critical infrastructure?

The U.S. intelligence community is well aware that hostile hackers – some from nation states – have gained access to portions of the nation’s critical infrastructure. There is wide agreement that this is not a good thing. But the debate about how big a threat it is rages on.

Other experts argue just as forcefully that while the threats are real and should be taken seriously, the risks are not even close to catastrophic. They say those who predict catastrophe are peddling FUD – fear, uncertainty and doubt.

A recent example of that view was an op-ed in the Christian Science Monitor by C. Thomas, a strategist at Tenable Network Security, who uses the nickname Space Rogue.

He argued that the biggest threat to the U.S. power grid or other industrial control systems (ICS) is not a skilled hacker, but squirrels. They, along with other small animals, “cause hundreds of power outages every year and yet the only confirmed infrastructure cyberattack that has resulted in physical damage that is publicly known is Stuxnet (a computer worm that destroyed centrifuges used in the Iranian nuclear program),” he wrote.

That theory was immediately disputed by other experts, including Thomas P.M. Barnett of Resilient, who wrote in a blog post that the comparison is like calling the common cold a “bigger” threat than cancer. The cold is much more frequent, but is much less of a threat than cancer – or as he put it, cancer is “low probability but far higher impact.”

Still, growing evidence of intrusions into the power grid and other critical infrastructure by hostile foreign nation states is enough to make even anti-FUD experts wonder about how “low-probability” a major attack is.

The Associated Press reported last month on security researcher Brian Wallace’s discovery that hackers had penetrated Calpine Corp., a power producer with 82 plants operating in 18 states and Canada.

While accurate attribution of attacks is notoriously difficult, digital evidence pointed to Iran. Wallace found that the hackers had already taken engineering drawings, some labeled “mission critical,” that were detailed enough to let the intruders, “knock out electricity flowing to millions of homes.”

And this was just one incident of about a dozen during the past decade in which, “sophisticated foreign hackers have gained enough remote access to control the operations networks that keep the lights on,” the AP said, quoting anonymous experts.

The Wall Street Journalreported on one of those last month – that in 2013, Iranian hackers infiltrated the control system of a dam in Rye, N.Y., just 20 miles outside of New York City.

And the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said recently that it had received reports of 295 incidents involving critical infrastructure in the 2015 fiscal year, up from 245 in the previous year, or 20.4 percent.

The threat is a human adversary and it is foolish to think technology alone will stop a human adversary.

None of these intrusions have resulted in a known cyber attack that has taken down even a portion of the grid yet. But Robert M. Lee, cofounder of Dragos Security and a former U.S. Air Force cyber warfare operations officer, told the AP that if relations between Iran and the U.S. degrade, “and Iran wants to target these facilities, if they have this kind of information it will make it a lot easier.”

That does not mean he thinks Armageddon is at hand, however. Lee told CSO that even with that kind of access, he doubts attackers could, “control the operations networks or damage infrastructure enough to keep power down for longer than a few hours.”

Jeremy Scott, senior research analyst at Solutionary, has a similar view. “The threat is real and serious – we are highly dependent on critical infrastructure for our daily lives and it would have a significant impact,” he said, “but it would not be the crippling blow that some would think.”

Of course, both Lee and Scott stress that they are speaking in the present tense. The possible damage from a cyber attack could grow worse if hostile hackers improve their skills over time.

The threat is real and serious … but it would not be the crippling blow that some would think

Jeremy Scott, senior research analyst, Solutionary

Mark Gazit, CEO of ThetaRay, agrees that the current threat from hackers is not at the catastrophic level, but believes that as nation-state hackers get more sophisticated, “their reach is definitely getting closer and closer to the mission-critical junctures of ICS operations.”

Meanwhile, the cyber security of ICSs remains notoriously weak – they were originally designed for reliability, not for connectivity, and are difficult to upgrade or replace. “A lot of security problems are baked in,” said Kevin Fu cofounder and chief scientist at Virta Labs.

“It’s legacy hardware and the systems are unusual – it’s not your desktop computer of 2016. Even if you had the budget, they’re hard to buy,” he said.

Indeed, James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS), famously told CBS’s “60 Minutes” in November 2009, that major electrical generators require a lead time of three or four months just to order them.

“It's not like if we break one, we can go down to the hardware store and get a replacement,” he said.

Of course, even hostile nation states would be unlikely to seek to disable the U.S. in a major way, since it would be seen as an act of war that would trigger a ferocious response, and could also have a major effect on the stability and economy of every other nation in the world, including their own.

There are also assumptions, even if they are not confirmed officially, that if nations like North Korea, China, Russia and Iran have breached ICS facilities in the U.S., the U.S. has penetrated their facilities as well, creating the cyber version of the balance of terror.

Lee and Scott, asked about that, both issued a terse, “no comment.”

But Gazit said he suspects it is true. “History shows that no playing field ever gets too one-sided,” he said. “When one side develops skills, the other side develops skills as well.”

None of those constraints apply, however, to terrorist groups like the Islamic State (commonly called ISIS), which have an apocalyptic view of international relations. They are not seen as a cyber threat now, but could become one.

“Groups like ISIS are mostly using the Internet for recruiting purposes,” said Justin Harvey, CSO at Fidelis Security, “but I don’t think this will always be true. It is only a matter of time before ISIS gets their collective stuff together and starts funding cyber terrorism.”

Fu believes that the best anyone can do in analyzing cyber threats is an educated guess. “The risks are real,” he said. “Everything could be fine for 10 years, but there is no way of giving any meaningful assurance that it will stay that way.

“At what point will an entity like terrorists develop that capability? We don’t know.”

And that gets back to an issue on which most experts agree. Whether the threat level is catastrophic or not, American ICS operators need to improve their security. That means improvements in both technology and the skills of the humans running it.

When it comes to technology, the emphasis should be on detection and rapid response more than on prevention, they said.

“Stop investing so much in prevention technologies and focus on detection platforms that forensically examine network and endpoint metadata for threats,” Harvey said.

Gazit agrees. “Machine-based solutions using advanced algorithms can provide real-time detection, actionable intelligence and uninterrupted response,” he said, “providing the necessary alerts to human beings so they can make the right decision at the right time.”

According to Lee, “the big focus needs to be on the training and empowering of security personnel. The threat is a human adversary and it is foolish to think technology alone will stop a human adversary. To counter flexible and persistent adversaries requires empowered and trained defenders.

Organizationally, the Industrial Control Systems Joint Working Group is a partnership between federal agencies and private ICS owners.

Fu said if ICS operators would simply use the formula established by the National Institute of Standards and Technology, they would substantially improve their security.

“You need to think about the risks, about what controls you’re putting in place to mitigate them, and then how you are measuring them to see if those controls are effective,” he said. “People tend to forget the third one, but it’s very important.”